Does PIPEDA require data to stay in Canada?

No. PIPEDA does not include a data residency requirement. Organizations can transfer personal information outside Canada, but they remain accountable for its protection. The Office of the Privacy Commissioner has stated that organizations must ensure a comparable level of protection when data is transferred to a foreign jurisdiction.

Which is stricter, PIPEDA or Law 25?

Law 25 is generally stricter. It requires mandatory Transfer Impact Assessments for cross-border data transfers, has higher maximum penalties ($25 million or 4% of worldwide turnover vs. $100,000 under PIPEDA), grants the CAI order-making power, and includes a private right of action.

Do I need to comply with both PIPEDA and Law 25?

If your organization operates in Quebec or processes personal information of Quebec residents, Law 25 applies. PIPEDA applies to federally regulated organizations and interprovincial or international commercial activity. Many organizations are subject to both — for example, a national company with Quebec operations must comply with Law 25 for Quebec data and PIPEDA for the rest.

Will the CPPA replace PIPEDA?

The Consumer Privacy Protection Act (CPPA) is the proposed replacement for PIPEDA under Bill C-27. If enacted, it would significantly strengthen federal privacy requirements — including higher penalties, new individual rights, and potentially new cross-border transfer provisions.

PIPEDA vs Law 25: Key Differences for 2026

Two laws, different standards

PIPEDA (the Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law for private-sector organizations. It applies across Canada except in provinces that have enacted their own substantially similar legislation — which Quebec has.

Law 25 (the Act to modernize legislative provisions as regards the protection of personal information) is Quebec's provincial privacy law. It applies to all private-sector organizations operating in Quebec or processing personal information of Quebec residents.

For organizations operating in Quebec, Law 25 is the primary governing framework. But PIPEDA still applies to federally regulated industries (banking, telecommunications, airlines) and to interprovincial or international commercial activities. Many organizations find themselves subject to both — and Law 25 is the more demanding of the two in nearly every area.

The comparison

Requirement	PIPEDA	Law 25 (Quebec)
Privacy Officer	Recommended but not strictly mandated	Mandatory — defaults to CEO if not designated; name must be published on website
Consent standard	Meaningful consent required; implied consent acceptable in many contexts	Express opt-in consent required; implied consent narrowly limited; consent for minors under 14 requires parental authorization
Privacy Impact Assessment	Not required by statute (recommended by OPC guidance)	Mandatory before cross-border transfers, before processing sensitive data, and for new information systems
Cross-border transfers	Permitted with comparable protections; no formal TIA required	Formal Transfer Impact Assessment required; must evaluate adequacy of receiving jurisdiction's legal framework
Data breach notification	Report to OPC if "real risk of significant harm"; notify affected individuals	Report to CAI if "risk of serious injury"; notify affected individuals; maintain incident register for 5 years
Right to data portability	Not included	Yes — individuals can request data in structured, portable format (effective September 2024)
Right to de-indexation	Not included	Yes — individuals can request de-indexation of personal information linked to their name
Private right of action	No — complaints go through OPC	Yes — individuals can pursue civil damages; minimum $1,000 per violation; class actions permitted
Maximum penalty	$100,000 per violation	$25 million or 4% of global turnover (whichever is greater)
Enforcement body	Office of the Privacy Commissioner (OPC)	Commission d'accès à l'information (CAI)
Incident register	Must maintain records of all breaches	Must maintain register for minimum 5 years; copy must be provided to CAI on request

Where Law 25 is meaningfully stricter

Consent

PIPEDA allows implied consent in many commercial contexts — for example, when a customer provides their email to complete a purchase, consent to use that email for order fulfillment is implied. Law 25 takes a much stricter approach, generally requiring express, specific consent for each purpose. For sensitive information, consent must be obtained separately and specifically. For minors under 14, parental consent is required.

In the SaaS context, this means your privacy policies, cookie banners, and data collection flows need to meet Law 25's higher consent bar if you serve Quebec residents — even if your PIPEDA-compliant processes have been working fine elsewhere in Canada.

Cross-border data transfers

This is the area where the gap between the two laws is most significant for SaaS compliance. PIPEDA requires organizations to ensure "comparable protection" when data is transferred to a third-party processor, but it doesn't mandate a formal assessment process. The OPC has issued guidance suggesting organizations consider the legal framework of the receiving jurisdiction, but this is guidance, not statute.

Law 25 makes the assessment mandatory. Before communicating personal information outside Quebec, you must conduct a Privacy Impact Assessment that evaluates the receiving jurisdiction's legal framework. The transfer can only proceed if the assessment demonstrates adequate protection. This is a documented, reviewable obligation — the CAI can request your assessments at any time.

For organizations with substantial SaaS stacks, this is where the compliance burden concentrates. Every US-based SaaS tool that processes personal information triggers this requirement.

Penalties

PIPEDA's maximum penalty of $100,000 per violation was considered meaningful when the law was enacted, but it's modest by modern standards. Law 25's penalties — up to $25 million or 4% of global turnover — are modelled on the GDPR and represent a fundamentally different risk calculus.

Perhaps more significantly, Law 25 provides a private right of action with minimum damages of $1,000 per violation. This means individuals don't need to go through the regulator — they can sue directly, and class actions are explicitly permitted. For organizations processing personal information at scale, the class action exposure is potentially more significant than the regulatory fines.

The CPPA factor

The federal Consumer Privacy Protection Act (CPPA), proposed to replace PIPEDA, would bring federal law closer to Law 25's standards — including mandatory PIAs, higher penalties, and a private right of action. Organizations complying with Law 25 today will be well-positioned when the CPPA eventually passes. Those complying only with PIPEDA will face a larger adjustment.

Which law applies to your organization?

Quebec-based organizations: Law 25 applies to your private-sector activities in Quebec. PIPEDA may also apply if you're in a federally regulated industry or conduct interprovincial/international commercial activities.

Organizations outside Quebec processing Quebec residents' data: Law 25 applies to your processing of Quebec residents' personal information. This is particularly relevant for national organizations with customers, employees, or clients in Quebec.

Federally regulated industries in Quebec: Both laws apply. PIPEDA governs the federal regulatory requirements; Law 25 adds the provincial layer. In practice, meeting Law 25's requirements will generally satisfy PIPEDA's as well, since Law 25 is stricter in every material area.

Organizations with no Quebec nexus: PIPEDA applies (or your province's substantially similar legislation, if applicable). But if you're expanding into Quebec or serving Quebec clients, Law 25 compliance should be on your roadmap.

Practical implications for SaaS compliance

For organizations managing SaaS stacks, the practical differences between PIPEDA and Law 25 come down to a few key areas:

Under PIPEDA only: You should know which SaaS vendors process personal information and ensure they provide comparable protection. You should have reasonable contractual safeguards in place. But there's no formal requirement to conduct documented TIAs or publish a privacy officer on your website.

Under Law 25: You need a designated Privacy Officer (published on your website). You need documented TIAs for every SaaS tool that processes personal information outside Quebec. You need executed DPAs with each vendor. You need an incident register maintained for five years. And your consent processes need to meet the express opt-in standard.

The compliance delta between these two positions is substantial. For a typical organization with 15–20 SaaS tools, moving from PIPEDA-only compliance to Law 25 compliance means completing 10+ TIAs, executing multiple DPAs, updating consent flows, and establishing documentation processes that didn't previously exist.

Start with your stack

HarbourScan maps your SaaS tools to their parent jurisdictions and flags which ones trigger Law 25's TIA requirements — giving you the foundation for the compliance work that PIPEDA doesn't require but Law 25 does. Run a free assessment →

The trajectory

Law 25 is not an outlier — it's a leading indicator. The proposed CPPA at the federal level, Ontario's ongoing privacy law discussions, and British Columbia's review of its private-sector privacy legislation all point in the same direction: stricter consent requirements, mandatory impact assessments, higher penalties, and more individual rights.

Organizations that treat Law 25 compliance as a Quebec-specific exercise are missing the bigger picture. The standard it sets is where Canadian privacy law is heading nationally. Investing in Law 25 compliance now is investing in readiness for the regulatory environment that's coming.

For more detail on the specific requirements, see our guides on Law 25 and your SaaS stack and Transfer Impact Assessments under Law 25.

PIPEDA vs Law 25: Key Differences